Report Calls for Reform of UK Surveillance Laws

A QUESTION OF TRUST

REPORT OF THE INVESTIGATORY POWERS REVIEW
by
DAVID ANDERSON Q.C.

Independent Reviewer of Terrorism Legislation

JUNE 2015
Presented to the Prime Minister

pursuant to section 7 of the

Data Retention and Investigatory Powers Act 2014

© Crown copyright 2015
This publication is licensed under the terms of the Open Government Licence v3.0
except where otherwise stated. To view this licence,
visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the
Information Policy Team, The National Archives, Kew, London TW9 4DU, or
email: psi@nationalarchives.gsi.gov.uk.
Where we have identified any third party copyright information you will need to obtain
permission from the copyright holders concerned.
This publication is available at www.gov.uk/government/publications
Any enquiries regarding this publication should be sent to the Independent Reviewer
of Terrorism Legislation at independent.reviewer@brickcourt.co.uk or by post to
David Anderson Q.C. at Brick Court Chambers, 7-8 Essex Street, London WC2R
3LD.
This document is also available from the Independent Reviewer’s website at
https://terrorismlegislationreviewer.independent.gov.uk
Print ISBN 9781474119450
Web ISBN 9781474119467
ID 20051503 06/15
Printed on paper containing 75% recycled fibre content minimum
Printed in the UK by the Williams Lea Group on behalf of the Controller of Her
Majesty’s Stationery Office

OUTLINE CONTENTS

Page
EXECUTIVE SUMMARY 1

DETAILED CONTENTS 10

PART I: BACKGROUND
1. INTRODUCTION 15

2. PRIVACY 25

3. THREATS 39

4. TECHNOLOGY 49

PART II: CURRENT POSITION
5. LEGAL CONSTRAINTS 71

6. POWERS AND SAFEGUARDS 95

7. PRACTICE 124

8. COMPARISONS 141

PART III: PERSPECTIVES AND VISIONS
9. LAW ENFORCEMENT 166

10. INTELLIGENCE 190

11. SERVICE PROVIDERS 203

12. CIVIL SOCIETY 213

PART IV: CHARTING THE FUTURE
13. PRINCIPLES 245

14. EXPLANATIONS 257

15. RECOMMENDATIONS 285

LIST OF ANNEXES

Page

Annex 1: List of Acronyms 308

Annex 2: Defined terms 313

Annex 3: Submissions 315

Annex 4: Meetings 317

Annex 5: Impact of encryption and anonymisation 321

Annex 6: Bodies with non-RIPA powers 323

Annex 7: The Snowden allegations 330

Annex 8: Interception case studies 334

Annex 9: Bulk data case studies 337

Annex 10: UK Retained communications data case studies 339

Annex 11: Crime types for which communications data is used 342

Annex 12: Urgency of requirements for communications data 343

Annex 13: Local authority use of communications data 344

Annex 14: Local authority RIPA requests via NAFN 348

Annex 15: The law of the Five Eyes 349

Annex 16: Potential use of traffic data by local authorities 370

Annex 17: ISIC Model A 372

Annex 18: ISIC Model B 373

EXECUTIVE SUMMARY

INTRODUCTION
1. As Independent Reviewer of Terrorism Legislation, I am required by the Data
Retention and Investigatory Powers Act 2014 to examine
a. the threats to the United Kingdom,
b. the capabilities required to combat those threats,
c. the safeguards to protect privacy,
d. the challenges of changing technologies, and
e. issues relating to transparency and oversight,
before reporting to the Prime Minister on the effectiveness of existing legislation
relating to investigatory powers, and to examine the case for a new or amending law.
2. The scope of this task extends well beyond the field of counter-terrorism. Public
authorities intercept communications, and collect information about communications,
for a host of other purposes including counter-espionage, counter-proliferation,
missing persons investigations and the detection and prosecution of both internet
enabled crime (fraud, cyber-attacks, child sexual exploitation) and crime in general.
3. The purpose of this Report is:
a. to inform the public and political debate on these matters, which at its worst
can be polarised, intemperate and characterised by technical
misunderstandings; and
b. to set out my own proposals for reform, in the form of five governing principles
and 124 specific recommendations.
4. In conducting my Review I have enjoyed unrestricted access, at the highest level of
security clearance, to the responsible Government Departments (chiefly the Home
Office and FCO) and to the relevant public authorities including police, National Crime
Agency and the three security and intelligence agencies: MI5, MI6 and GCHQ. I have
balanced those contacts by engagement with service providers, independent
technical experts, NGOs, academics, lawyers, judges and regulators, and by fact-
finding visits to Berlin, California, Washington DC, Ottawa and Brussels.
INFORMING THE DEBATE
5. The legal, factual and technological position as I understand it from my reading, my
visits and the large number of interviews I have conducted is set out in the first 12
Chapters of this Report.
1

EXECUTIVE SUMMARY
6. Part I of the report (BACKGROUND) establishes the context for the Review,
explores the central concept of privacy and considers both current and future threats
to the UK and the challenges of changing technology.
a. Chapter 1 (INTRODUCTION) sets out the scope, aims and methodology of the
Review.
b. Chapter 2 (PRIVACY) looks at the importance of privacy for individual, social
and political life. It charts attitudes to privacy and surveillance as they have
evolved over time and as they have recently been captured in court judgments
and in survey evidence from the UK and elsewhere.
c. Chapter 3 (THREAT) looks at the importance of security for individual, social
and political life. It assesses the threat to the UK in terms of both national
security and crime, and puts it into a long-term perspective.
d. Chapter 4 (TECHNOLOGY) explains the basic technology that underlies the
debate, from changing methods of communication and new capabilities to
encryption, anti-surveillance tools and the dark net.
7. Part II of the Report (CURRENT POSITION) explains the international legal
backdrop, the current powers and the way in which they are used.
a. Chapter 5 (LEGAL CONSTRAINTS) sets out the legal framework which
governs action in this field. In the absence of a written constitution, the chief
limitations on freedom to legislate are those imposed by the ECHR and (within
its field of application) EU law.
b. Chapter 6 (POWERS AND SAFEGUARDS) summarises the existing UK laws
under which public authorities may collect and analyse people’s
communications, or records of their communications. It introduces the key
concepts and summarises the various powers both under RIPA and outside it,
together with the principal oversight mechanisms.
c. Chapter 7 (PRACTICE) explains how those powers are applied in practice by
intelligence, police, law enforcement and others, touching also on data-sharing,
bulk personal datasets and the recently-avowed capability for computer
network exploitation.
d. Chapter 8 (COMPARISONS) provides three sets of benchmarks which may
assist in working out how UK law on Investigatory Powers should look. These
are:
 other forms of surveillance (directed and intrusive surveillance,
property interference, covert human intelligence sources etc.),
 the laws of other countries, particularly in Europe and the English-
speaking world, and
2

EXECUTIVE SUMMARY
 the use made of individuals’ communications by service providers,
retailers and other private companies.
8. Part III of the Report (PERSPECTIVES AND VISIONS) draws on the submissions
and evidence received by the Review in order to summarise the wishes of interested
parties.
a. Chapter 9 (LAW ENFORCEMENT) summarises the requirements of the NCA,
police, local authorities and other law enforcement bodies. It addresses the
utility of interception and communications data for their work, and their views
on capabilities and safeguards.
b. Chapter 10 (INTELLIGENCE) summarises the submissions made to the
Review by the security and intelligence agencies: MI5, MI6 and GCHQ. It
explains their views on technological change and encryption, what they say
they need to maintain existing access and their priorities in relation to
capabilities and authorisation of warrants.
c. Chapter 11 (SERVICE PROVIDERS) summarises the submissions made to
the Review by communications service providers, both in the US (regarding
cooperation with the UK Government and extraterritorial effect) and in the UK
(where there was a strong emphasis on the strengthening of controls and
oversight).
d. Chapter 12 (CIVIL SOCIETY) summarises the case made to the Review by
civil society groups and individuals, some of whom challenged the need for
current capabilities, and most of whom emphasised what they saw as the need
for transparency, coherence and clarity and improved scrutiny and safeguards.
PROPOSALS FOR REFORM
9. Part IV of the Report (CHARTING THE FUTURE) contains my proposals for
change.
a. Chapter 13 (PRINCIPLES) characterises the key issue as one of trust, and
sets out the five principles on which my recommendations are founded:
 Minimise no-go areas
 Limited powers
 Rights compliance
 Clarity
 Unified approach.
Under the fifth principle, I explain my reasons for rejecting the ISC’s
recommendation that the law in this area should, for the first time, enshrine a
clear separation between intelligence and law enforcement functions.
3

EXECUTIVE SUMMARY
b. Chapter 14 (EXPLANATIONS) is a commentary on the principal
recommendations set out in Chapter 15. It explains my thinking on key issues
such as:
 Defining content and communications data
 Compulsory data retention
 The proposals in the 2012 Communications Data Bill
 Bulk collection and bulk warrants
 Specific interception warrants
 Judicial authorisation
 Collection of communications data
 Extraterritorial effect
 Use of intercepted material and data
 The Independent Surveillance and Intelligence Commission (ISIC)
 The IPT
 Transparency.
c. Chapter 15 (RECOMMENDATIONS) sets out my 124 specific and inter-related
recommendations for reform.
SUMMARY OF PROPOSALS
Shape of the new law
10. A comprehensive and comprehensible new law should be drafted from scratch,
replacing the multitude of current powers and providing for clear limits and safeguards
on any intrusive power that it may be necessary for public authorities to use.1
11. The definitions of content and of communications data should be reviewed, clarified
and brought up to date.2
Capabilities
12. The power to require service providers to retain communications data for a period
of time should continue to exist, consistently with the requirements of the ECHR and
of EU law.3
1
Recommendations 1-9, 14.3-14.7 below.
2
Recommendation 12, 14.10-14.12 below.
3
4

EXECUTIVE SUMMARY
13. In relation to the subject-matter of the 2012 Communications Data Bill:
a. The provisions for IP resolution in the Counter Terrorism and Security Act
2015 are useful and should be kept in force.4
b. The compulsory retention of records of user interaction with the internet (web
logs or similar) would be useful for attributing communications to individual
devices, identifying use of communications sites and gathering intelligence or
evidence on web browsing activity. But if any proposal is to be brought forward,
a detailed operational case needs to be made out, and a rigorous assessment
conducted of the lawfulness, likely effectiveness, intrusiveness and cost of
requiring such data to be retained.5
c. There should be no question of progressing proposals for the compulsory
retention of third party data before a compelling operational case for it has
been made out (as it has not been to date) and the legal and technical issues
have been fully bottomed out.6
14. The capability of the security and intelligence agencies to practise bulk collection of
intercepted material and associated data should be retained (subject to rulings of the
courts),7
but used only subject to strict additional safeguards concerning:
a. judicial authorisation by ISIC;8
b. a tighter definition of the purposes for which it is sought, defined by operations
or mission purposes;9
c. targeting at the communications of persons believed to be outside the UK at
the time of those communications;10
and
d. the need for a specific interception warrant to be judicially authorised if the
applicant wishes to look at the communication of a person believed to be within
the UK.11
15. There should be a new form of bulk warrant, the bulk communications data warrant,
which would be limited to the acquisition of communications data and could thus be
a proportionate option in certain cases.12
4
Recommendation 14 below.
5
6
7
8
Recommendations 22, 45-48, 14.47-14.57 below.
9
Recommendation 43, 14.75 below.
10
11
12
Recommendation 42(b) and 44, 14.73 and 14.77 below.
5

EXECUTIVE SUMMARY
Warrants for interception
16. All warrants should be judicially authorised by a Judicial Commissioner at a new
body: the Independent Surveillance and Intelligence Commission (ISIC).13
17. Where a warrant is said to be required in the interests of a national security purpose
that relates to the defence and/or foreign policy of the UK, the Secretary of State
should have the power so to certify (and, in the case of a bulk warrant, to certify that
the warrant is required for the operation(s) or mission purpose(s) identified). The
Judicial Commissioner, in determining whether to issue the warrant, should have the
power to depart from that certificate only on the basis of the principles applicable in
judicial review.14
18. Specific interception warrants may be targeted not only on persons or premises
but (like the existing thematic warrants) on operations. That is subject to the
additional protection that, save where ordered by the Judicial Commissioner, the
addition of persons and premises to the schedule of the warrant must be specifically
authorised by a Judicial Commissioner.15
19. The warrantry procedure should be streamlined by providing for:
a. Serious crime warrants, like national security warrants, to be of six months’
duration;16
b. Renewals to take effect from the expiry of the original warrant;17
c. Combined warrants for interception, intrusive surveillance and/or property
interference, so long as the conditions for each type of warrant are individually
satisfied.18
20. Pending a longer-term and more satisfactory solution, the extraterritorial effect in
DRIPA s4 should be maintained.19
Authorisation for acquisition of communications data
21. Designated persons (DPs) (including in the security and intelligence agencies) should
be required by statute to be independent from the operations and investigations in
relation to which they consider whether to grant an authorisation.20
22. Single Points of Contact (SPoCs) should be provided for in statute.21
13
14
Recommendations 30 and 46, 14.64-14.66 below.
15
16
17
18
19
20
21
6

EXECUTIVE SUMMARY
23. The SPoC function for all minor users of communications data should in future be
compulsorily performed by an independent SPoC at the National Anti-Fraud Network
(NAFN).22
24. Now that all local authority requests for communications data must be submitted to
independent SPoCs at NAFN and approved by a designated person of appropriate
seniority, the additional requirement of approval by a magistrate or sheriff should
be abandoned.23
25. The DP of any public authority which seeks communications data for the purpose of
determining matters that are privileged or confidential must either refuse the
request or refer it to ISIC for determination by a Judicial Commissioner.24
26. Where a request is not directed to such a purpose but relates to persons who handle
privileged or confidential information (doctors, lawyers, journalists, MPs etc.),
special considerations and arrangements should be in place, and the authorisation if
granted should be flagged for the attention of ISIC.25
27. Where a novel or contentious request is made for communications data, the
requesting public authority on the advice of the DP should refer the matter to ISIC for
a Judicial Commissioner to decide whether to authorise the request.26
Oversight and review
28. The Independent Surveillance and Intelligence Commission (ISIC) should
replace the offices of the three current Commissioners.27
29. ISIC should take over the intelligence oversight functions of the ISCommr, the
existing auditing functions of its predecessor Commissioners, and additional
functions relating in particular to the acquisition and use of communications data,
the use of open-source intelligence and the sharing and transfer of intercepted
material and data.28
30. Through its Judicial Commissioners, who should be serving or retired senior judges,
ISIC should also take over the judicial authorisation of all warrants and of certain
categories of requests for communications data, in addition to the approval functions
currently exercised by the OSC in relation to other forms of surveillance and the ability
to issue guidance.29
22
23
24
Recommendation 68, 14.85(a) below.
25
Recommendation 67, 14.85(b) below.
26
Recommendations 70-71, 14.86 below.
27
28
29
Recommendations 84-88, 14.95 below.
7

EXECUTIVE SUMMARY
31. ISIC, on its own initiative or at the suggestion of a public authority or CSP, should
have additional powers to notify subjects of their right to lodge an application to the
IPT.30
32. ISIC should be public-facing, transparent, accessible to media and willing to draw on
expertise from different disciplines.
33. The Investigatory Powers Tribunal (IPT) should have an expanded jurisdiction and
the capacity to make declarations of incompatibility; and its rulings should be subject
to appeal on points of law.31
Transparency
34. Whilst the operation of covert powers is and must remain secret, public authorities,
ISIC and the IPT should all be as open as possible in their work. Intrusive capabilities
should be avowed. Public authorities should consider how they can better inform
Parliament and the public about why they need their powers, how they interpret those
powers, the broad way in which those powers are used and why additional
capabilities may be required.32
CONCLUSION
35. RIPA, obscure since its inception, has been patched up so many times as to make it
incomprehensible to all but a tiny band of initiates. A multitude of alternative powers,
some of them without statutory safeguards, confuse the picture further. This state of
affairs is undemocratic, unnecessary and – in the long run – intolerable.
36. Parliament provided the Review with a broad canvas,33
which I have done my best to
cover. The recommendations in Chapter 15 aim to provide a clear, coherent and
accessible scheme, adapted to the world of internet-based communications and
encryption, in which:
a. public authorities have limited powers, but are not shut out from places where
they need access to keep the public safe;
b. procedures are streamlined, notably in relation to warrants and the
authorisation of local authority requests for communications data;
c. safeguards are enhanced, notably by:
i. the authorisation of warrants by senior judges;
ii. additional protections relating to the collection and use of
communications by the security and intelligence agencies in bulk;
30
31
Recommendations 99 and 113-117, 14.101-14.108 below.
32
Recommendations 9 and 121-124, 14.7 and 14.110-14.111 below.
33
1.2 below.
8

EXECUTIVE SUMMARY
iii. greater supervision of the collection of communications data, including
judicial authorisation where privileged and confidential material is in
issue or novel and contentious requests are made;
iv. improved supervision of the use of communications data, including in
conjunction with other datasets and open-source intelligence; and
v. a new, powerful, visible and accountable intelligence and surveillance
auditor and regulator.
37. My aim has been to build on the best features of the current regime and to learn from
the practice of other countries. The resulting framework aims not only to satisfy the
majority who broadly accept current levels of investigatory activity and supervision,34
but to help build trust among sceptics both in the UK and abroad.
38. The opportunity now exists to take a system characterised by confusion, suspicion
and incessant legal challenge, and transform it into a world-class framework for the
regulation of strong and vital powers. I hope that opportunity will be taken.
2.27 and 2.34 below.
9

34

DETAILED CONTENTS
PART I: BACKGROUND
1. INTRODUCTION 15

Genesis of the Review 15

Context of the Review 15

Scope of the Review 19

Working methods 22

Terminology 23

Treatment of classified material 23

2. PRIVACY 25

Introduction 25

The evolution of privacy 25

Perspectives on privacy 26

Why is privacy important? 27

Privacy: a qualified right 28

The position of the UK 29

Modern attitudes to privacy 32

The Snowden effect 34

Is privacy dead? 36

3. THREATS 39

Introduction 39

The threat in perspective 39

The importance of good order 40

National security threats 41

Crime and public safety 44

Conclusion 47

4. TECHNOLOGY 49

Introduction 49

Changing methods of communication 49

Global nature of the internet 51

10

DETAILED CONTENTS
Fragmentation of providers 52

Difficulties in attributing communications 52

New sources of data 54

Geographical changes 59

Encryption 60

The dark net 65

Anonymity and anti-surveillance tools 66

Decentralised networks 67

New capabilities 68

PART II: CURRENT POSITION
5. LEGAL CONSTRAINTS 71

The common law 71

The European Convention on Human Rights 73

The law of the European Union 84

International Law 92

6. POWERS AND SAFEGUARDS 95

Key concepts 95

Powers outside RIPA 97

Other intrusive capabilities 100

RIPA powers 103

RIPA safeguards 113

Data Sharing 115

Oversight 119

7. PRACTICE 124

Sources and scope 124

The Snowden Documents 124

Interception 126

Communications data 133

Computer network exploitation 137

Intelligence sharing 138

Bulk Personal Datasets 139

The Management of Relationships with CSPs 139

11

DETAILED CONTENTS
8. COMPARISONS 141

Other forms of surveillance 141

International Comparisons 148

Private sector activity 154

PART III: PERSPECTIVES AND VISIONS
9. LAW ENFORCEMENT 166

Scope and sources 166

Summary of requirements 167

Utility of intercept and communications data 168

Capabilities: interception 172

Capabilities: communications data 173

Minor users 183

Oversight 188

10. INTELLIGENCE 190


The Agencies 192

Summary of requirements 193

Agency capabilities 194

11. SERVICE PROVIDERS 203


The importance of trust 203

International enforcement 204

Views of service providers 205

12. CIVIL SOCIETY 213

Sources and scope 213

Transparency 213

Coherence and clarity 218

Scope of investigatory powers 223

Increase scrutiny and safeguards 227

12

DETAILED CONTENTS
Improve oversight 235

Future-proofing 242

PART IV: CHARTING THE FUTURE

13. PRINCIPLES 245

A question of trust 245

First principle: minimise no-go areas 247

Second principle: limited powers 248

Third principle: rights compliance 251

Fourth principle: clarity and transparency 252

Fifth principle: a unified approach 253

Recommendations – the objective 255

14. EXPLANATIONS 257

INTRODUCTION 257

GENERAL (Recommendations 1-12) 258

CAPABILITIES (Recommendations 13-19) 260

INTERCEPTION AND ACQUISITION OF DATA (Recommendations 20-71) 270

USE OF INTERCEPTED MATERIAL AND DATA (Recommendations 72-81) 279

OVERSIGHT AND REVIEW (Recommendations 82-121) 280

TRANSPARENCY (Recommendations 121-124) 284

15. RECOMMENDATIONS 285

GENERAL 285

CAPABILITIES 287

INTERCEPTION AND ACQUISITION OF DATA 288

USE OF INTERCEPTED MATERIAL AND DATA 297

OVERSIGHT AND REVIEW 299

TRANSPARENCY 306

13

PART I: BACKGROUND

Part I of the Report (BACKGROUND) establishes the context for the
Review, explores the central concept of privacy and considers both
current and future threats to the UK and the challenges of changing
technology.
 Chapter 1 (INTRODUCTION) sets out the scope, aims and
methodology of the Review.
 Chapter 2 (PRIVACY) looks at the importance of privacy for
individual, social and political life. It charts attitudes to privacy and
surveillance as they have evolved over time and as they have
recently been captured in court judgments and in survey evidence
from the UK and elsewhere.
 Chapter 3 (THREATS) looks at the importance of security for
individual, social and political life. It assesses the threat to the UK
in terms of both national security and crime, and puts it into a long
term perspective.
 Chapter 4 (TECHNOLOGY) explains the basic technology that
underlies the debate, from changing methods of communication
and new capabilities to encryption, anti-surveillance tools and the
dark net.
14

1. INTRODUCTION
Genesis of the Review
1.1. The Data Retention and Investigatory Powers Act 2014 [DRIPA 2014] completed its
parliamentary passage in just four days, receiving Royal Assent on 17 July 2014.
Emergency legislation was said to be needed in order to ensure that UK law
enforcement and security and intelligence agencies could maintain their ability to
access the telecommunications data they need to investigate criminal activity and
protect the public. As part of the political agreement that secured cross-party support
for the Bill, the Home Secretary was required (by DRIPA 2014 s7) to “appoint the
independent reviewer of terrorism legislation to review the operation and regulation of
investigatory powers”. This Report is the outcome of that Review.
1.2. I am required to consider, in particular:
“(a) current and future threats to the United Kingdom;
(b) the capabilities needed to combat those threats;
(c) safeguards to protect privacy;
(d) the challenges of changing technologies;
(e) issues relating to transparency and oversight;
(f) the effectiveness of existing legislation (including its proportionality) and
the case for new or amending legislation.”1
1.3. The Review was to be completed so far as reasonably practicable by 1 May 2015,
and a report sent to the Prime Minister as soon as reasonably practicable after
completion.2
This report is up to date to 1 May 2015, and was sent to the Prime
Minister on 6 May 2015. On receipt, the Prime Minister is obliged to lay a copy of the
Report before Parliament, together with a statement as to whether any matter had
been excluded from it on the basis that it seemed to him to be “contrary to the public
interest or prejudicial to national security”.3
Context of the Review
Data retention and extraterritoriality
1.4. The two matters said to justify the emergency passage of DRIPA 2014 were:
(a) the April 2014 ruling of the Grand Chamber of the Court of Justice of the
European Union [CJEU] in the Digital Rights Ireland case,4
[Digital Rights
Ireland], declaring invalid the EU Data Retention Directive5
which provided
1
DRIPA 2014, s7(2).

2
DRIPA 2014, s7(3)(4).

3
DRIPA 2014, s7(5)(6).

4
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and others, EU:C:2014:238.

5
Directive 2006/24/EC: [EU Data Retention Directive].

15

CHAPTER 1: INTRODUCTION
the legal basis for UK Regulations requiring service providers6
to retain
communications data for law enforcement purposes for a specified period;7
and
(b) the need to put beyond doubt the extraterritorial effect of warrants,
authorisations and requirements relating to interception and communications
data, so that they could for example be served on overseas service providers.
These matters were addressed in DRIPA 2014 ss1 and 4, respectively. Other
technical and definitional changes were made by the Act. According to its Explanatory
Memorandum, the purpose of DRIPA 2014 was “not ... to enhance data retention
powers”, but rather to preserve pre-existing capabilities.8
1.5. In recognition of the very short time available for debate, DRIPA 2014 contains a
“sunset clause” which provides for its operative provisions to expire at the end of
2016.9
Ministers and Shadow Ministers expressed the hope that the present Report
will assist Parliament’s consideration of whether the data retention and
extraterritoriality powers contained in DRIPA 2014 should be renewed beyond that
date.10
The broader context
1.6. But as the wide terms of s7 confirm, the scope of this Review extends well beyond
the provisions of DRIPA 2014. The setting up of the Review reflects a broader political
context, including:
(a) what law enforcement and intelligence bodies had identified as their reduced
coverage of electronic communications, as a consequence of:
 the long-term shift from telephone communications via UK service providers
towards internet-based communications through overseas (especially US)
service providers; and
 other technological changes, including the growth of secure encryption for
internet communications;11
6
For ease of reference, the term “service providers” is used to refer to: (1) companies which offer
communications services ([CSPs] properly so called), such as BT and Vodafone, (2) companies
providing internet access (commonly referred to as Internet Service Providers [ISPs]), such as AOL,
Virgin Media and Sky (collectively, technical readers will know these two categories as the four lower
levels of the OSI 7-layer model), and (3) companies which operate “over the top” [OTT] of an internet
connection (commonly called OTT providers or applications services providers), such as Facebook
and Twitter. Some CSPs are also ISPs. Some companies offer communications services, internet
access and OTT services (e.g. BT TV, over its own internet service). Reference is made to the
individual category of service provider where necessary. The term CSP is used when referring to both
CSPs and ISPs.
7
The Data Retention (EC Directive) Regulations SI 2009/859, which were adopted pursuant to the
European Communities Act 1972 [ECA 1972] s2(2). Regulations under the ECA 1972 depend upon
the existence of a valid EU instrument.
8
Explanatory Memorandum, para 32.
9
DRIPA 2014 s8.
10
Hansard, HC Debs, 15 July 2014, Col 714 (Theresa May) and Col 723 (Yvette Cooper).
11
See further, 4.41-4.65 below.
16

(b) the Communications Data Bill of 2012, which sought to remedy gaps in that
coverage in a number of ways (some of which had been prefigured under the
previous Government). It was considered in draft by two parliamentary
committees, but never introduced to Parliament as a consequence of
disagreements within the Coalition;
(c) the publication since 2013 of a selection of documents, removed without
authorisation from the US National Security Agency [NSA] by the contractor
Edward Snowden and purporting to describe various capabilities of the NSA
and other agencies, including the UK’s Government Communications
Headquarters [GCHQ], [the Snowden Documents];12
and
(d) the various consequences of publication of the Snowden Documents,
including:
 disquiet and suspicion among sections of the public in the UK and other
countries, prompted in particular by allegations of bulk collection and
analysis of data on a previously unreported scale;
 a new emphasis by service providers on customer privacy, reflected in a
quickening of the trend towards universal encryption and a reduction in
voluntary cooperation with foreign governments;
 pleas from law enforcement and security and intelligence agencies for better
cooperation from overseas service providers, and better means of
enforcement against them; and
 unprecedented levels of activity from the UK’s supervision mechanisms, in
particular the Investigatory Powers Tribunal [IPT], Interception of
Communications Commissioner’s Office [IOCCO] and Intelligence and
Security Committee of Parliament [ISC], each of which has examined and
reported on allegations arising out of the Snowden Documents.
1.7. The debate is thus a double-jointed one, featuring arguments for more and for less
capability, for more safeguards and for the removal of limitations that serve no useful
purpose. If it is at times bitterly contested, that is because both sides (with
unquestionable sincerity) see their position as under threat:
(a) Privacy advocates emphasise the growing volume of electronic
communications, as well as their quality, and extended techniques for the
gathering and analysis of them, as lives are increasingly lived online. They
campaign for reduced powers, or at any rate enhanced safeguards, to protect
the individual from the spectre of a surveillance state.
A catalogue of the Snowden Documents placed in the public domain is maintained by the Lawfare
Institute: http://www.lawfareblog.com/catalog-of-the-snowden-revelations/. See also the Snowden
Digital Surveillance Archive: https://snowdenarchive.cjfe.org/greenstone/cgi-bin/library.cgi and The
Electronic Frontier Foundation: https://www.eff.org/nsa-spying/nsadocs.
17

12

(b) The authorities see a decline in the proportion of electronic communications
which they have the ability to access or to make use of, fear the emergence of
channels of communication that cannot be monitored, and seek to redress the
balance with new powers in the interests of national security and the prevention
and detection of crime.
Each sees a future in which they lose control. Privacy advocates look at a world in
which ever more data is produced, aggregated and mined. The authorities fear
developments such as universal default encryption, peer-to-peer networks and the
dark net.
The effect of Snowden
1.8. Each of the rival camps is well-entrenched: the Communications Data Bill was being
proposed, and caricatured as a “snoopers’ charter”, before anyone had heard of
Edward Snowden. But the Snowden Documents have transformed the position in a
number of ways.
(a) They have provided material for debate: though the UK Government retains its
strict policy of “neither confirm nor deny” [NCND],13
some capabilities have
been admitted (notably PRISM, after its acknowledgment by the US
Government, and computer network exploitation [CNE]) and the IPT in
particular has been prepared to review the lawfulness of other programmes
(such as TEMPORA) on the basis of assumed facts.
(b) For privacy advocates, the Snowden Documents have caused them to believe
that investigatory powers are used more widely even than they had suspected,
and provided a nucleus for wide-ranging litigation.14
(c) The opening up of the debate has however come at a cost to national security:
the effect of the Snowden Documents on the behaviour of some service
providers and terrorists alike has, for the authorities, accentuated the problem
of reduced coverage and rendered more acute the need for a remedy.
The international dimension
1.9. There is some evidence that reaction to the Snowden Documents was less marked,
and less negative, in the UK than in some other countries.15
But to approach the
debate as though domestic considerations are all that matter is not realistic, for at
least four reasons:
(a) International travel, the global nature of the internet and the ability to tap
international cables means that the use of investigatory powers by UK
authorities inevitably impacts upon persons who are neither British citizens nor
present in the UK.
13
Though see Belhadj and others v Security Service and other (Case no. IPT/13132-9/H) [Belhadj IPT
Case], judgment of 29 April 2015.
14
See further 5.35-5.54 below.
15
See 2.25-2.35 below.
18

(b) The safeguards on the use of those powers must be sufficiently strong not only
to satisfy public opinion in the UK, but to persuade governments and overseas
service providers (including particularly in the USA) that they can and should
cooperate with requests for information.
(c) For as long as the UK accepts the jurisdiction of the European Court of Human
Rights [ECtHR] and CJEU, its law must conform to the principles of their
jurisprudence, with its strong emphasis on the protection of private
communications, as well as to the constraints of international law.
(d) Whatever solution the UK arrives at may well be influential in other countries.
Nothing should be proposed for the UK that would not be accepted if it were
adopted by other democratic nations.
Scope of the Review
Definition of investigatory powers
1.10. The “investigatory powers” that I am required to review are not defined in DRIPA 2014,
nor even in the central piece of legislation in this area: the Regulation of Investigatory
Powers Act 2000 [RIPA]. It might have been legitimate to understand the phrase as
encompassing the full range of such powers, including directed and intrusive
surveillance (tailing, bugging), property interference and the use of covert human
intelligence sources [CHIS]. The concept might even be extended further, to cover
surveillance cameras and DNA databases.
1.11. I have however approached the task with regard to my initial Terms of Reference,
issued in July 2014, which define the objective of the Review as being
“[t]o review the use of legislation governing the use of communications data
and interception ...”,
with regard among other things to “the effectiveness of current statutory oversight
arrangements”.16
The Security Minister confirmed during the passage of the Bill that
this was the intended scope of the Review.17
Interception and communications data
are governed by RIPA Part I; RIPA Part IV covers codes of practice and scrutiny by
Commissioners and by the IPT. Those are the subjects I have covered in this Review,
though by reference also to statutes other than RIPA, and with an eye to the
comparisons presented by other types of surveillance and spying powers, particularly
when they are used for similar purposes, as for example CNE may be. Some of my
recommendations, if adopted, will affect such powers.
16
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/330749/Review_of_Co
mmunications_Data_and_Interception_Powers_Terms_of_Reference.pdf.
17
Hansard HC Debs 15 July 2014 cols 804, 806.
19

Objectives of this Report
1.12. Even so limited, DRIPA 2014 s7 presents me with a very broad canvas. In seeking
to cover it, my objectives have been two-fold:
(a) to inform the public and parliamentary debate by providing the legal,
technological and operational context, and by seeking to encapsulate the views
of the main stakeholders; and
(b) to offer my own proposals for change, based on all the evidence I have heard
and read.
Though I seek to place the debate in a legal context, it is not part of my role to offer a
legal opinion (for example, as to whether the bulk collection of data as practised by
GCHQ is proportionate). A number of such questions are currently before the courts,
which have the benefit of structured and opposing legal submissions and (in the case
of the IPT) the facility to examine highly secret evidence, and which are the only bodies
that can authoritatively determine them.
1.13. Deciding the content of the law in this area is for Parliament, subject only to any
external legal constraints; and there are wide issues of principle on which the views
of one individual (or even one committee) could never aspire to be determinative.18
But I am invited to opine on a variety of topics, some of them quite technical in nature,
and hope that by basing my conclusions where possible on evidence, MPs and others
will at least be in a position to judge whether my recommendations are worthy of being
followed.
Not limited to terrorism
1.14. This Review overlaps only slightly with my work as independent reviewer of terrorism
legislation.19
In that (part-time) capacity, I report regularly to Ministers and to
Parliament on the operation of laws directed specifically to counter-terrorism, but not
on laws relating to investigatory powers, which are within the competence of others.20
The subject matter of this one-off Review is therefore quite distinct from the normal
work of the independent reviewer.
1.15. I would emphasise that:
(a) Investigatory powers vary greatly in their impact. Broad powers of bulk
collection are used by GCHQ to identify threats to national security from vast
quantities of data. But highly targeted communications data requests are used
18
See e.g. the issue of whether the retention by service providers of data capable of revealing web
browsing history constitutes an acceptable intrusion into privacy, which the Joint Committee on the
Draft Communications Data Bill [JCDCDB] after its own thorough investigation felt compelled to leave
to Parliament: Report of the JCDCDB, HL Paper 79 HC 479, (December 2012) [JCDCDB Report],
para 294.
19
I remain a Q.C. (self-employed barrister) in independent practice. Full details of the role of
independent reviewer, and of the reports I have produced in the course of it, are on my website:
https://terrorismlegislationreviewer.independent.gov.uk/.
20
In particular, IOCCO. Other forms of surveillance are reported upon by the Intelligence Services
Commissioner [ISCommr] and by the Office of Surveillance Commissioners [OSC].
20

for such relatively straightforward tasks as tracing the maker of a 999
(emergency) call, or a “reverse look-up” to identify any mobile phones
registered to a particular postal address.
(b) Some powers are used (and were always intended to be used) by a wide range
of public authorities, from the National Crime Agency [NCA] to local authorities,
and for a host of purposes including murder investigations, the tracing of
missing persons, the investigation of organised crime, the detection of cyber
crime (including child sexual exploitation and online fraud) and the enforcement
of trading standards.
1.16. It would be unfortunate if my association with the review of terrorism laws were to fuel
the common misconception that investigatory powers are designed solely or even
principally to fight terrorism. They have a vital part to play in that fight, as this Report
will set out. But they are properly and productively used both in a broader national
security context (e.g. counter-espionage, counter-proliferation) and in combating a
wide range of other crimes, most of them more prevalent than terrorism and some of
them just as capable of destroying lives.
Structure of this Report
1.17. The structure of this Report should be evident from the Contents. In summary:
(a) Part I introduces the task, explores the central concept of privacy and
discharges my statutory function of reviewing “current and future threats to the
United Kingdom” and “the challenges of changing technologies”.21
(b) Part II explains the current position, touching on legal constraints before
summarising existing powers and how they are used by the authorities. It also
seeks to provide some alternative reference points by looking at other types of
surveillance by public authorities, the laws of other countries and the use of
communications data by private companies.
(c) Part III seeks to summarise the views expressed to the Review by the four main
groups which submitted evidence to the Review: law enforcement, intelligence,
service providers and civil society.
(d) Part IV explains and sets out my recommendations for change. Drawing on
previous parts of the Report, it incorporates my conclusions on “the capabilities
needed to combat those threats”, “safeguards to protect privacy”, “issues
relating to transparency and oversight” and “the effectiveness of existing
legislation (including its proportionality) and the case for new or amending
legislation”.22
21
DRIPA 2014, s7(a)(d).
22
DRIPA 2014, s7(b)(c)(e)(f).
21

Other reviews
1.18. The initial terms of reference state that my Review will take account of:
“the findings of the [JCDCDB], RUSI Review, the ISC Privacy and Security
Inquiry and administrative and resource impacts”.
1.19. Of the three bodies there mentioned:
(a) The JCDCDB reported on 11 December 2012, in the JCDCBC Report: I refer
its findings in Chapters 4, 8, 9, 14 and 15, below.
(b) The ISC produced its report [ISC Privacy and Security Report] on 12 March
2015.23
In keeping with the functions of the ISC, that report is limited to the
activities of the security and intelligence agencies; but it made some far-
reaching recommendations, including for the drafting of a bespoke new law to
cover all intelligence agency activity.
(c) The Royal United Services Institute [RUSI] Independent Surveillance Review
[the RUSI Review] announced by the Deputy Prime Minister on 4th
March
2014, has not yet reported.
According to the same terms of reference, this Report is to mark the end of the first
phase of a Review that will be carried on by a Joint Committee to be established in the
next Parliament. I have no doubt that the RUSI Review, and all other relevant material,
will be given due weight during the second phase.
Working methods
1.20. I issued a formal call for evidence in July 2014, on my website and via twitter, which
was supplemented by a number of specific requests and attracted written
submissions (sometimes on a repeated basis) from 67 individuals, NGOs, service
providers, individuals, regulators and public authorities. Most in the latter category
are classified because of operational sensitivities; but the submissions that I have
consent to publish may be found on my website.24
Almost without exception I have
found them useful, informative and thought-provoking.
1.21. I followed up many of the submissions orally and have held meetings with a wide
range of interlocutors in the UK.25
I have benefited from the wide range of expertise
presented at Wilton Park meetings in October and November 2014, which provided a
unique opportunity for dialogue between people with very different perspectives, and
from conferences organised by the Bingham Centre for the Rule of Law and by
JUSTICE. I made productive trips to Berlin, San Francisco and Silicon Valley,
Washington DC and Ottawa, all in December 2014, and to Brussels in January 2015.
23
Privacy and Security: A modern and transparent legal framework, HC 1075, (March 2015).
24
https://terrorismlegislationreviewer.independent.gov.uk/.
25
In keeping with the mode of operation of the independent reviewer of terrorism legislation, and in order
to achieve maximum frankness from those to whom I spoke, those meetings were confidential and not
formally minuted. They included several meetings with and fact-finding visits to the Security Service
[MI5], the Secret Intelligence Services [MI6] and GCHQ.
22

Full lists of all those who made written submissions to the Review, and of the
organisations (and in some cases individuals) with whom I have spoken, are at Annex
3 and Annex 4 to this Report.
1.22. In addition, the ISC shared with me the entirety of the extensive closed evidence that
it took as part of its own Privacy and Security Review, and I have seen the confidential
parts of the ISC’s report as well as of the reports of IOCCO and the ISCommr. Much
highly classified material was volunteered to me, and nothing that I asked to see,
however sensitive or secret, was withheld from me.
1.23. I was fortunate to recruit to the Review team two barristers (Tim Johnston and Jennifer
MacLeod), a solicitor (Rose Stringer) and a former civil servant (Robert Raine CBE),
each of whom, despite other commitments, has given substantial time and effort to
the Review, greatly extending its reach and helping to ensure its quality. Dr Bob Nowill
agreed to act as technical consultant: he has explained much and saved me from a
number of errors. Commissioners, judges, academics, lawyers, non-governmental
organisations [NGOs], technology experts, retired civil servants and others from
across the world have been generous with their help: they have done much to
challenge and influence my views. Eric King, Tom Hickman, Ben Jaffey and Jo Cavan
each commented on one or more draft Chapters dealing with technology, law and
practice. None of the above should be associated with any of the views expressed in
this Report, which (like any factual errors) are my responsibility alone.
Terminology
1.24. Lists of the acronyms and definitions used in this Report are at Annex 1 and Annex 2
respectively.
Treatment of classified material
1.25 It is my practice when reviewing the terrorism laws to produce a single, open report
which can be shared with Parliament and public without the need for redactions. I
have followed the same approach in this report. My aim was to ensure that the Prime
Minister would not be called upon to use his power of exclusion under DRIPA s7. To
that end I have shared parts of my draft report with the Government in advance, for
the purpose of ensuring that national security-sensitive passages could be identified
and, by negotiation or agreement, rendered acceptable for public release.
1.26 In a few respects (e.g. the bulk collection case studies at Annex 9), this Report contains
material that security and intelligence agencies have not previously put into the public
domain. But it has not been possible to deal in the pages of this Report with everything
that is relevant to the Review.26
1.27 I have emphasised in my Recommendations the importance of transparency, of public
avowal, and of backing all capabilities with accessible and foreseeable legal
provisions.27
More broadly, my conclusions have been arrived at on the basis of all
26
This will not be surprising to any reader of the ISC’s Privacy and Security Report: the existence of
classified material relevant to its subject and to mine is indicated by the frequent use of asterisks.
27
See in particular Recommendations 3-5, 8-10 and 121-124.
23

the information I have myself received: both that which can be disclosed and that which
cannot. But it is only fair to point out that (as would no doubt be expected) there are
matters relevant to this Review that cannot be referred to in public and that I have
therefore not referred to at all.
24

2. PRIVACY
Introduction
2.1. The exercise of investigatory powers impinges on a variety of human rights and
interests, including (as will be seen) freedom of expression, freedom of assembly and
the peaceful enjoyment of property. At the root of them are concepts which have been
described in international human rights instruments as “the right to respect for …
private … life, home and communications” and “the right to protection of personal
data”.1
The catch-all word “privacy” is often used, and will be used here, as an
imprecise but useful shorthand for such concepts.
2.2. The UK public and courts are sometimes said to be less protective of privacy than
their counterparts elsewhere: a proposition that I examine at 2.26-2.35 below. But as
has been pertinently remarked:
“A public that is unable to understand why privacy is important – or which lacks
the conceptual tools necessary to engage in meaningful debates about its
value – is likely to be particularly susceptible to arguments that privacy should
be curtailed.”2
This Chapter seeks to look under the surface of what we call privacy, in order better to
understand the reasons why investigatory powers need to be limited and to inform the
debate on the form that such limitations should take.
The evolution of privacy
2.3. It has been claimed that privacy is a “modern” concept, a “luxury of civilisation”,
unknown (and unsought) in “primitive or barbarous” societies.3
But ideas of privacy,
including the relative freedom of the home from intrusion, are set out in the Code of
Hammurabi of Ancient Babylonia, the laws of Ancient Greece and Rome and of
Ancient China.4
References are found to privacy in a range of religious texts, including
the Bible, the Koran, and Jewish law.5
Anthropologists have suggested that the need
for privacy, while sensitive to cultural factors, is not limited to certain cultures. Rather,
most societies regard some areas of human activity as being private, even if there are
1
European Union Charter of Fundamental Rights [EU Charter], Articles 7 and 8, a formulation updated
from that in the European Convention of Human Rights [ECHR], Article 8, which is “the right to respect
for … private … life ... home and correspondence”. On these instruments, see further 5.12-5.23 and
5.57-5.58 below.
2
B. J. Goold, “Surveillance and the Political Value of Privacy”, Amsterdam Law Forum (2009) (“Goold”).
3
See EL. Godkin, “The Rights of the Citizen: To His Reputation”, (1980) 8 Scribner’s Magazine 58, p. 65;
and R. Posner, “An Economic Theory of Privacy”, (1978) AEI Journal on Government and Society, 19,
p. 20.
4
See A. Rengel, Privacy in the 21st
Century, 2013, (“Rengel”), p. 29; Samuel Dash, The Intruders:
Unreasonable Searches and Seizures from King John to John Ashcroft, 2004 (“Dash”), pp. 8-10.
5
See Rengel, p 29, and Dash, pp. 8-10.
25

CHAPTER 2: PRIVACY
differences concerning what or how much is private;6
and humans need privacy to
develop into adults, court, mate and rear offspring.7
Perspectives on privacy
2.4. The elements of privacy are strongly interlinked, and subject to no academic
consensus. In the words of one scholar, privacy is “a value so complex, so entangled
in competing and contradictory dimensions, so engorged with various and distinct
meanings, that I sometimes despair whether it can be usefully addressed at all”.8
It
may however be useful to refer to a number of formulations that are of relevance to
the subject-matter of this Review.
2.5. A classic formulation of privacy is the right to be let alone,9
once proclaimed to be
the “most comprehensive of rights and the right most valued by civilized men”.10
This
right has been associated with human dignity,11
with the notion of the “inviolate
personality” and with the need for beliefs, thoughts, emotions and sensations to be
protected from unwanted prying.12
2.6. The same principle can be expressed in terms of a positive right to conceal or hide
information about ourselves. The idea of a “sphere” or zone in which privacy should
be assured can be extended by the idea that we operate in different spheres in
different situations: see for example the approach of the Canadian Supreme Court,
which has identified three broad types of privacy interest – territorial, personal and
informational – in respect of which different expectations and rules may apply.13
2.7. Privacy can also be understood in terms of control. Since knowledge is power, the
transfer of private information to the state can be seen as a transfer of autonomy and
of control. Even if the information is never actually read – for example, an electronic
communication which was obtained pursuant to a bulk data collection exercise but not
selected for scrutiny – the fact that it could be read may be seen as placing control in
the hands of the state. Control may also be transferred when information is given to
an online service provider, though with the distinguishing factors that consent is
required (nominally, at least) and that service providers, while they may use or sell
the data within the limits of their terms and conditions, lack the coercive powers of the
state.
6
See the discussion in Rengel, p. 28.
7
See Rengel, p. 28 and D. Solove, “Conceptualizing Privacy”, (2002) 90 Cal.L.Rev. 10987 (“Solove”).
Nagel has argued that it is our desire for privacy that separates us from other animals; T. Nagel,
“Concealment and Exposure”, (1998) Philosophy & Public Affairs, Vol 27 No 1 pp. 3-30, (“Nagel”) p. 18.
8
R. C. Post, “Three Concepts of Privacy”, (2001) 89 Geo. L.J. 2087.
9
S. Warren & L. Brandeis, “The Right to Privacy”, (1890-1891) 4 Harv. L. Rev. 193, p. 205.
10
Brandeis J dissenting in Olmstead v United States, 277 US 438 (1928), p. 478, later upheld by Katz v
United States 389 US 347 (1967).
11
See E. Bloustein, “Privacy as an Aspect of Dignity: An Answer to Dean Prosser”, (1964) 39 NYU L. Rev.
962 (“Bloustein”) p. 974.
12
As enumerated by Brandeis J in Olmstead v US.
13
R v Spencer, [2014] SCC 43 (CanLII), para 35 et seq.
26

CHAPTER 2: PRIVACY
Why is privacy important?
2.8. Intrusions into privacy have been compared, compellingly, to environmental damage:
individually their impact may be hard to detect, but their cumulative effect can be very
significant.14
It is all the more important, therefore, to appreciate precisely why privacy
matters, and how intrusions into it can damage the ecosystem that privacy helps to
support.
2.9. A good start is provided by the recent judicial description of privacy protection as “a
prerequisite to individual security, self-fulfilment and autonomy as well as to the
maintenance of a thriving democratic society”.15
As that statement implies, the privacy
ecosystem has individual, social and political aspects.
2.10. First, privacy enables the expression of individuality. Without privacy, concepts
such as identity, dignity, autonomy, independence, imagination and creativity are
more difficult to realise and maintain.16
Privacy allows us to think and create in
freedom, to choose how we love and with whom we share: it enables the “sheer
chaotic tropical luxuriance of the inner life” to flourish.17
It facilitates an inner sanctum
that others must respect. It grants us the freedom to function autonomously, without
our every action being observed (or countermanded) by others. Of course, if we
choose to express our individuality in criminal or anti-social ways, privacy can facilitate
that too.
2.11. Secondly and relatedly, privacy facilitates trust, friendship and intimacy: qualities
that allow us to relate freely to each other and that form the essential basis for a
diverse and cohesive society.18
Conversely, surveillance has been shown to lead to
self-censorship19
and the suppression of certain behaviour,20
though once again, anti
social as well as pro-social behaviour may be suppressed by surveillance.21
2.12. Thirdly, privacy is necessary for the securing of other human rights, ranging from
the freedom of political expression to the right to a fair trial. Just as democracy is
enabled by the privacy of the ballot box, so the expression of dissenting views is
enhanced by the ability to put them across anonymously:22
the ability of a
whistleblower to reveal state misconduct and of a journalist to report it requires an
assurance that the journalist’s sources will not be made known to the state.23
There
14
See J. Angwin, Dragnet Nation: A quest for privacy, security and freedom in a world of relentless
surveillance, 2014, (“Angwin”).
15
R v Spencer, para 15, summarising the effect of previous cases in the Supreme Court of Canada.
16
See Solove, p. 1145, and C. Fried, “Privacy”, (1968) 77 Yale LJ 475, discussing love, friendship and
trust.
17
Nagel, p. 4.
18
Goold; R. Post, “The Social Foundations of Privacy: Community and Self in the Common Law Tort”,
(1989) 77 Cal. L. Rev. 957.
19
See J. Kang, “Information Privacy in Cyberspace Transactions”, (1998) 50 Stan. L. Rev 1193, p. 1260.
20
A. Oulasvirta et al, “Long-term Effects of Ubiquitous Surveillance in the Home”, Ubicomp’ 12, 41.
21
To take a practical example, whether a person reports or owns up to scraping another vehicle in a car
park might depend on whether the incident is thought to have been recorded by CCTV.
22
This phenomenon long predates the internet age: see for example William Prynne’s anti-prelatical
pamphlet “Newes from Ipswich”, issued in 1636 under the name of Matthew White. The use of a
pseudonym and false Ipswich imprint (rather like a Tor exit node: 4.67(b) below) were attempts to
conceal the origin of a work that it was known the authorities would consider seditious.
23
See further 5.49-51 below.
27

CHAPTER 2: PRIVACY
can be no fairness in litigation involving the state if one party to it has the ability to
monitor the privileged communications of the other.24
Indeed, Lord Neuberger,
President of the UK Supreme Court, recently suggested that, “at least in many cases”
the right to privacy is “an aspect of freedom of expression”; as when one wishes to do
or say something only privately, it is an interference with expression when one
cannot.25
He noted that this is particularly true of anonymous speech, where an
author’s article 8 (privacy) rights “reinforce” his or her article 10 (expression) rights,
both generally and particularly in relation to confidential speech.26
2.13. Fourthly, privacy empowers the individual against the state. The state’s ability to
monitor communications offers opportunities for manipulation or control, for example
by the publication of truthful yet embarrassing facts or images intended to discredit or
tarnish the citizen; the ability to predict the actions of citizens and to respond to
perceived threats to power; the profiling of dissenters or minority groups; and the
capacity to control the information received or dispensed by the target.27
All these
practices, described by George Orwell,28
were known in totalitarian states from
Eastern Europe to Iraq, leading to the observation that intrusion on privacy is a
“primary weapon of the tyrant”.29
Echoes of such tendencies have also been observed
(and commendably brought to light) in the United States of America.30
Privacy: a qualified right
2.14. However powerful the need for privacy, it is not (as is, for example, the prohibition
against torture) an absolute right. Just as the interests of public safety and law
enforcement will sometimes have to give way to the right to privacy, so the right to
privacy may need to yield to competing considerations. That is acknowledged in
Article 8(2) of the ECHR, which approves interference by public authorities with the
right to respect for private life and correspondence in circumstances where that
interference is in accordance with the law, necessary and a proportionate method of
achieving specified objectives including the interests of national security, the
prevention of disorder or crime and the protection of health.31
24
See further 5.45-48 below.
25
Lord Neuberger at the Hong Kong Foreign Correspondents’ Club, “The Third and Fourth Estates:
Judges, Journalists and Open Justice”, 26 August 2014.
26
Lord Neuberger at 5 RB Conference, “What’s in a name? Privacy and anonymous speech on the
Internet”, 30 September 2014.
27
Frequently cited in this regard is the comment attributed to Cardinal Richelieu: “Show me six lines written
by the most honest man in the world, and I will find enough therein to hang him.”
28
Nineteen Eighty-Four, 1949.
29
Bloustein, p. 974.
30
The Church Committee, a Senate Committee that sat in the mid-1970s, concluded that “too many people
have been spied upon by too many Government agencies and too much information has been collected.
The Government has often undertaken the secret surveillance of citizens on the basis of their political
beliefs, even when those beliefs posed no threat of violence or illegal acts on behalf of a hostile foreign
power”. Reference was made to the careful surveillance of groups deemed dangerous, on the basis of
vague standards, and the use of “unsavoury and vicious tactics”. Famous examples set out by the
Committee include surveillance and thereafter improper pressure being applied to the Women’s
Liberation Movement and Dr. Martin Luther King (including using information obtained to encourage him
to commit suicide, or to destroy his marriage). The Committee also describes the seeking of “political
intelligence” from wiretapping under President Nixon and others, including Watergate: Final Report of
the Select Committee to Study Governmental Operations with respect to Intelligence Activities, 94th
Congress, 2nd
Session, Report No. 94-755, Book IV, pp. 5-13.
31
See further 5.21-5.22 below.
28

CHAPTER 2: PRIVACY
2.15. The state has a duty to keep those within its borders safe from criminality. That duty
is generally acknowledged to require some ability to intrude upon private
communications. Where communication channels are unwatched by the state, and
still more when they are incapable of being watched, criminals can act with impunity.
That common-sense observation is reflected in the routine activity theory, a
criminological staple which states that the three necessary conditions for most crime
are a likely offender, a suitable target and – significantly – the absence of a capable
guardian.
2.16. Whether such intrusion is appropriate, and if so to what extent, is a matter of fierce
debate: opinions differ, for example, as to whether it is permissible to interrogate the
communications of people not for the time being under suspicion, whether
communications providers should be obliged to retain data that they do not keep for
commercial purposes, and to whom and under what conditions such data should be
made available. Those who mistrust the state tend to argue that such powers should
not exist at all; others accept the powers but emphasise the need for robust
safeguards on their use. The question of trust is thus at the core of the issues to be
considered in this Review: a theme to which I return at 13.1-13.6 below.
2.17. But such debates should not be conducted simply on the level of individual versus
state. Any intrusion into privacy is liable to have an impact not only on that
relationship, but on the individual and social aspects of privacy, as summarised at
2.10-2.12 above. Those aspects, though less tangible, are just as important. If we
neglect them, we risk sleepwalking into a world which – though possibly safer – would
be indefinably but appreciably poorer.32
The position of the UK
Popular views
2.18. There are signs that the UK public is less troubled by surveillance issues than its
counterparts in some other countries (2.25-2.35 below); and that the same distinction
is apparent in the rulings of its courts (2.22-2.24 below).
2.19. The need to safeguard privacy against intrusion by the UK Government and its
security and intelligence agencies is widely appreciated in theory. Indeed to a
substantial minority of the population – including many of the campaigners who have
contributed to this Review – it is an issue of the highest importance. But for others, it
lacks practical resonance. It is easy to see the utility of closed circuit television
[CCTV] cameras, DNA databases and communications data in solving crimes,
identifying terrorists and protecting children from sexual abuse. It is harder to put a
concrete value on concepts such as human dignity and the inviolability of the private
sphere, particularly in a country which escaped the totalitarian excesses of the 20th
century (thanks in part to the successes of its security and intelligence agencies),33
32
The threat of “sleepwalking into a surveillance society” was thought to be a reality by the Information
Commissioner, introducing his Report on the Surveillance Society, (2006): see “Britain is ‘surveillance
society’”, BBC news website, 2 November 2006: see further 12.32 below.
33
To give two well-known examples from World War II, the Double Cross counter-espionage system
operated by MI5; and the successes of the Government Code and Cypher School, the forerunner of
29

CHAPTER 2: PRIVACY
and in which libertarianism remains an insignificant political force. People are
concerned or outraged by isolated uses of surveillance powers, especially by police
or local authorities;34
yet on a broader scale, there was a relatively muted reaction to
the publication in 2013-14 of secret documents purporting to reveal the aspirations
and inner workings of GCHQ and its partners.
2.20. But attitudes vary widely, both between individuals and over time. An alternative
strand of strong British opposition to state surveillance over private life may be
illustrated by examples from each of the past four centuries:
(a) Viscount Falkland, appointed Secretary of State in 1643, at the height of the
English Civil War, could never bring himself to exercise “the liberty of opening
letters upon a suspicion that they might contain matter of dangerous
consequence”, finding it (according to one of his close associates) “such a
violation of the law of nature that no qualification by office could justify a single
person in the trespass”.35
(b) The 18th
century jurist William Blackstone characterised eavesdropping as an
offence “against the public health of the nation; a concern of the highest
importance”.36
Celebrated cases of the period declared that there was no
power to issue a general warrant for the search of properties, for “if there was,
it would destroy all the comforts of society; for papers are often the dearest
property a man can have”.37
(c) In the wake of an 1844 parliamentary enquiry into the interception of letters
addressed to the Italian patriot Giuseppe Mazzini, the “secret branch” of the
Post Office (which dealt with foreign letters) and the deciphering office were
closed down, with the result that, according to one historian of the period, “[t]o
most intents and purposes, domestic political espionage in Britain stopped
shortly after 1848 ... until the story picks up again in the early 1880s”.38
Patriotic
pride in this state of affairs was expressed by Sir Thomas Erskine May, when
he wrote in 1863:
“Men may be without restraints upon their liberty: they may pass to and
fro at pleasure but if their steps are tracked by spies and informers, their
words noted down for crimination, their associates watched as
conspirators – who shall say that they are free? Nothing is more
GCHQ, in cracking the Enigma codes and so, very probably, shortening the war: C. Andrew The Defence
of the Realm: The Authorized History of MI5, 2010; and R.J. Aldrich, GCHQ: the Uncensored Story of
Britain’s Most Secret Intelligence Agency, 2010.
34
E.g. the revelation that Bob Lambert, an undercover police officer, tasked to infiltrate an environmental
protest group, fathered a child by one of the protesters, leading to a settlement of £425,000 from the
Metropolitan Police in 2014; see D. Casciani, “The undercover cop, his lover, and their son”, BBC
website, 24 October 2014.
35
E. Hyde, Earl of Clarendon, The History of the Rebellion, written in 1668-70: Oxford World’s Classics
edn., 2009, pp. 186-187. Falkland was equally resistant to “the employing of spies, or giving any
countenance or entertainment to them”. But the opening of letters continued: “convinced by the
necessity and iniquity of the time that those advantages of information were not to be declined, and
were necessary to be practised”, Falkland “found means to shift it from himself”: ibid.
36
Blackstone’s Commentaries, Book 4, Chapter XIII, p. 128.
37
Entick v Carrington 2 WILS KB 274, 807, pp. 817-818: see further at 5.4-5.8 below.
38
B. Porter, Plots and paranoia: a history of political espionage in Britain 1790-1988, 1989, pp. 77-81.
30

CHAPTER 2: PRIVACY
revolting to Englishmen than the espionage that forms part of the
administrative system of continental despotisms. It haunts men like an
evil genius, chills their gaiety, restrains their wit, casts a shadow over
their friendships, and blights their domestic hearth. The freedom of this
country may be measured by its immunity from this baleful agency.”39
(d) The dystopian society described in George Orwell’s book Nineteen Eighty-Four
was one in which the inhabitants of Oceania live and work in places equipped
with two-way “telescreens”, allowing them be watched at any time, and in which
correspondence is routinely opened and read before delivery. The link between
surveillance and total state control is a central theme of the novel, which after
its publication in 1949 resonated with particular force in the Soviet Union and
Communist Eastern Europe. Phrases such as “Big Brother” and “Thought
Police” remain commonplaces to this day in any debate on surveillance and its
limits.
2.21. So generalisation is dangerous. Attitudes will be shaped by experience, personal as
well as national. That is as it should be: tolerance of the need for surveillance rightly
depends both on how useful and on how intrusive it is, as well as on the threat picture
and the degree of risk that society, and its individual members, are prepared to
tolerate.
Judicial approaches
2.22. Different concepts of privacy are given prominence in different legal systems. Thus,
the concept of dignity is said to underlie continental, and particularly German, privacy
law, whereas liberty from the state finds more prominence in United States law.40
2.23. The UK – so often positioned midway between the norms of the US and continental
Europe – is in this respect something of an outlier: privacy protection from state
intrusion was given little emphasis by the common law, and has recently been
guaranteed largely under the influence of European legal norms.41
2.24. Article 8 is now applied domestically under the Human Rights Act 1998 [HRA 1998],
as discussed in detail below (5.13-5.14). However, there is still a striking difference
in emphasis between UK judges and the European courts as regards the degree of
protection to be accorded to privacy. For example:
(a) In a number of cases, unanimous rulings by the highest UK court have been
countermanded by unanimous rulings of the ECtHR upholding privacy rights.42
39
T.E. May, Constitutional History of England since the Accession of King George III, vol. 2, 1863, p.
275.
40
See J. Whitman, “Two Western Cultures of Privacy”, (2003-2004) 113 Yale LJ 1151.
41
See 5.11 and 5.17 below.
42
S v United Kingdom (Application no. 30562/04; judgment of 4 December 2008) (DNA retention: 0-5 in
the judicial House of Lords (0-10 if the lower courts are included) then 17-0 in Strasbourg); Kay v
United Kingdom (Application no. 37341/06; judgment of 21 September 2010) (home repossession: 0-7
then 7-0); Gillan v United Kingdom (Application no. 3158/05; judgment of 12 January 2010) (no-
suspicion stop and search: 0-5 then 7-0). A further case (MAK v UK (Application no. 45901/05;
31

CHAPTER 2: PRIVACY
(b) In Digital Rights Ireland (5.62-5.78 below), the CJEU was of the view that the
EU Data Retention Directive, which the UK Government had strongly promoted,
entailed “a wide-ranging and particularly serious interference with those
fundamental rights in the legal order of the EU”.43
(c) In a recent case about the retention of electronic data, Lord Sumption correctly
noted that the ECtHR “has in the past taken exception to the characterisation
of interferences by English courts with private life as being minor”, before once
again so characterising the retention of electronic data by the police on an
individual associated with a political protest group.44
It is hard to think of any other area of human rights law that is characterised by such
marked and consistent differences of opinion between the European courts and the
British judges who in most respects rank among their most loyal and conscientious
followers. To the extent that the law permits, it seems to me that there would be
wisdom in acknowledging and seeking to accommodate such differences, which owe
something at least to varying perceptions of police and security forces and to the
different (but equally legitimate) conclusions that are drawn from 20th
century history
in different parts of Europe.
Modern attitudes to privacy
2.25. Attitudes to privacy, surveillance, and investigatory powers are frequently surveyed.45
But the treatment of those surveys requires some care, as results may well be
influenced by a wide range of factors, including recent newsworthy events,46
the exact
wording of the question or indeed the identity of the questioner.
2.26. Even within the UK, people vary widely in their attitude to privacy. Research by
DEMOS into data sharing places people into different categories, described as:
nonsharers (30% of the population), sceptics (22% of the population), pragmatists
(20% of the population), value hunters (19% of the population) and enthusiastic
sharers (8% of the population).47
These groups have very different views on issues
relating to privacy. Moreover, research has showed that people’s own personal
judgment of 23 March 2010)) (duty of care to parents of children suspected to be subjects of abuse)
was 1-4 then 7-0.
43
Digital Rights Ireland, judgment at para 65.
44
R (Catt) v Commissioner of Police of the Metropolis and others [2015] UKSC 9, para 26.
45
Some of those I have considered are: Special Eurobarometer 359, Attitudes on Data Protection and
Electronic Identity in the European Union, (2011), (“Eurobarometer”); Demos, The Data Dialogue,
(2012), (“Demos”); Wellcome Trust, “Summary Report of Qualitative Research into Public Attitudes to
Personal Data and Linking Personal Data”, (2013) (“Wellcome Trust”); Pew Research Center, “Public
Perceptions of Privacy and Security in the Post-Snowden Era”, (2014) (“Pew, Public Perceptions”); Ipsos
MORI, “Public Attitudes to Science”, (2014), (“Ipsos MORI, PAS”); TNS-BMRB Polling 23-27 January
2014, (“TNS-BMRB”); Dr J. F. Rogers, “Public opinion and the Intelligence Services”; (2014) (“YouGov”);
Ipsos MORI for ESRC/ONS, “Dialogue on Data: Exploring the public’s views on using administrative
data for research purposes”, (2014) (“Ipsos MORI: ESRC/ONS”); Deloitte, Data Nation 2014: Putting
Customers First, (2014) (“Deloitte”); Ipsos MORI, “Public attitudes to the use and sharing of their data”,
for the Royal Statistical Society, (2014) (“Ipsos MORI: RSS”); and Pew Research Center, “Americans’
privacy strategies post-Snowden” (2015), (“Pew, Privacy strategies”).
46
It was stated in Ipsos MORI, PAS that the survey may have been influenced by recent NSA leaks and a
trial on phone hacking in the UK.
47
Demos.
32

CHAPTER 2: PRIVACY
environment, history and development has a significant effect on their desire or
otherwise for privacy,48
and that attitudes to privacy are highly contextual.49
2.27. In relation to privacy as against the state or public authorities:
(a) Public opinion tends to be more supportive of the use of data where there are
tangible public benefits.50
A TNS BMRB poll in 2014 showed that:
 most people (71%) “prioritise reducing the threat posed by terrorists and
serious criminals even if this erodes peoples’ right to privacy”;
 66% think that British security and intelligence agencies should be
allowed to access and store the internet communications of criminals or
terrorists;
 64% back them in carrying out this activity by monitoring the
communications of the public at large; and that
 whereas 60% were very or fairly concerned about social media websites
such as Facebook monitoring and collecting information about their
online activity, and 55% had the same concerns about search engines
such as Google, only 46% and 43% had the same concerns about the
US and UK Governments respectively.51
Further research shows that people see one of the benefits of surveillance as
enabling the government to protect them against crime, including terrorism.52
(b) Research by YouGov in 2013 showed that 49% of respondents agreed that the
UK Intelligence Services should be allowed in some circumstances to hack into
calls/emails/text messages of foreign citizens “with no questions asked”, as
against 27% who thought they should not. The equivalent figures for UK
citizens were 43% and 33%.53
Qualitative surveys have however shown
concern about being watched by “Big Brother”.54
(c) Whilst surveys show that the government is trusted more than commercial
companies,55
survey participants have expressed concern regarding the
48
See Nancy Marshall, “Privacy and Environment”, (1972) Human Ecology, Vol 1 No. 2, 92.
49
See Pew, Public Perceptions; Demos, which showed a greater concern regarding “personal information”
than “behavioural data”; Eurobarometer, which showed particular concern for financial, medical and
national identity number information compared to photos, social networks, websites and tastes and
personal opinions; and Wellcome Trust, which highlighted a number of distinguishing factors, including
the degree of risk if it is misused/stolen, the level of security attached to the data, whether it was
anonymous or personally identifiable data, the value of the data, whether it was extracted by free choice
or compulsion and whether the collector is governmental or private.
50
TNS-BMRB.
51
TNS-BMRB.
52
Wellcome Trust.
53
YouGov.
54
See the Wellcome Trust.
55
See 2.27(a) above, last bullet point, and Ipsos MORI: ESRC/ONS; Deloitte; Eurobarometer. Within the
US government at least, there may also be some differentiation; see Executive Office of the President,
33

CHAPTER 2: PRIVACY
government’s use of data,56
particularly in terms of profiling or leaks.57
Aligned
with the concepts of privacy outlined above, the public are particularly
concerned about their data being leaked, lost, shared or sold without their
consent.58
(d) Safeguards appear to be relevant to public levels of trust: where no mention of
safeguards is made the balance of opinion is against data sharing within
government, but with safeguards half are in favour of such sharing.59
2.28. Public surveys have shown particularly low levels of trust in relation to phone
companies and ISPs in dealing with data.60
A recent survey showed only between
4% and 7% had high levels of trust in such companies to use their data appropriately.61
They also show a general lack of confidence in the security of everyday channels,
social media being viewed as the least secure and a landline as the most secure.62
2.29. Some studies show differences in approach by age, although these are not consistent.
Several surveys show that younger people care less, trust organisations more, and
are happier with data collection and use or online surveillance than older
generations.63
However, the TNS BMRB poll showed that younger people gave a
higher priority to privacy when weighed against security,64
and polls in America have
shown that most teenagers take steps to protect their privacy online.65
Again, while
far from conclusive, there is some indication that social class may make a difference:
lower social classes showed greater levels of discomfort in relation to sharing their
data in the Wellcome Trust survey.
The Snowden effect
2.30. The Snowden Documents detailed the alleged extent of surveillance by British and
US security and intelligence agencies. Summarised at 7.6-7.7 below and in Annex 7
to this Report, these materials have influenced some people’s views on the balance
between privacy and security.
2.31. Particularly striking in this regard was the realisation of the extent to which
communications were being intercepted in bulk. It was not shocking to discover that
no means of communication is immune: that has been the case for as long as mails
have been opened and spies secreted behind the arras. But because such
techniques were haphazard, risky and resource-intensive, they have generally been
used sparingly, and on a targeted basis. Bulk collection of electronic messages, as
Big Data: Seizing Opportunities, Preserving Values, May 2014, in which law enforcement and
intelligence agencies were ranked low in terms of public trust.
56
See Ipsos MORI: ESRC/ONS, Deloitte, and Eurobarometer.
57
See Ipsos MORI: ESRC/ONS, and Deloitte.
58
Ipsos MORI, PAS; Deloitte; Demos; although it is expected and supported by the public that
governmental administrative data is linked and shared between departments; See Ipsos MORI:
ESRC/ONS.
59
Ipsos MORI: RSS.
60
Eurobarometer; Ipsos MORI: RSS.
61
Ipsos MORI: RSS.
62
Pew, Public Perceptions.
63
Wellcome Trust; Eurobarometer; Pew, Public Perceptions; Deloitte.
64
Wellcome Trust.
65
Pew Research Center, “Teens and Mobile Apps Privacy”, (2013).
34

CHAPTER 2: PRIVACY
the Snowden Documents brought home, can be achieved with far less effort and so
brings the potential (if not properly regulated) for spying on a truly industrial scale.
2.32. Two US surveys by the Pew Research Center highlight the influence of the leaks:
(a) In the 2014 study, most adults did not agree that it was a good thing for
government to “keep an eye” on internet activity, and adults who had heard
about government surveillance were more likely to think that internet oversight
by government has drawbacks.66
Overall, 80% of American adults agreed or
strongly agreed that Americans should be concerned about the government’s
monitoring of phone calls and internet communications, with just 18%
disagreeing or strongly disagreeing with that notion. According to the authors,
the survey confirmed the “clear trend” from support for collection of data as part
of anti-terrorism efforts to relative disapproval.67
(b) In the 2015 study, over a third of those who had heard of surveillance programs
had taken at least one step to hide or shield their information from the US
Government, with a quarter changing their use “a great deal” or “somewhat”.
However (in apparent contrast to the earlier findings), only 52% were
“somewhat” or “very” concerned about US Government surveillance of
Americans’ data and electronic communications, as against 46% who were “not
very” or “not at all” concerned.68
2.33. Further research undertaken worldwide appeared to show that the Snowden
Documents have “damaged one major element of America’s global image: its
reputation for protecting individual liberties”.69
Older Americans were more likely than
younger Americans to find it acceptable to spy on citizens of other countries, though
Americans in general (perhaps unsurprisingly) were more likely to approve of US
government surveillance of foreign nationals than of US citizens. However, people in
other nations found NSA surveillance of foreign nationals to be more objectionable
than that of Americans.70
Indeed, 71% of respondents in a worldwide study, including
70% of those in Five Eyes countries,71
were strongly opposed to the US monitoring
their internet use (with 60% wanting tech companies to secure their communications
to prevent this).72
66
Pew, Public Perceptions. A majority of adults disagreed with the statement “it is a good thing for society
if people believe that someone is keeping an eye on the things that they do online”, including 20% who
strongly disagreed. 36% agreed with the statement, including 7% who strongly agreed. Just 23% of
adults who have heard “a lot” about the revelations in the Snowden Documents thought online
surveillance was good for society, compared with 46% of those who had heard less about the
revelations.
67
Pew, Public Perceptions.
68
Pew, Privacy Strategies.
69
Pew Research Center, “Global Opposition to US Surveillance and Drones”, (2014) (“Pew, Global
Opposition”). This reflected changes in attitude of both Americans themselves and the global public.
70
Pew, Global Opposition.
71
The US, UK, Canada, Australia and New Zealand: see further 8.40-8.41 below.
72
Amnesty International, “Global opposition to USA big brother mass surveillance”, (2015) (“Amnesty”).
35

CHAPTER 2: PRIVACY
2.34. Such a change in attitudes is less apparent in the UK:
(a) Studies have ranked the UK as one of the countries least concerned by
government “spying” on internet and mobile communications. Along with
France, the UK had the lowest proportion of citizens who were opposed to it
(44%) in a global study in 2015.73
(b) Indeed, a number of studies showed that most people had already assumed
that the type of action alleged in the Snowden Documents was undertaken, and
only 27% were of the view that it was too intrusive.74
(c) Some recent studies have shown support for the use of data to predict and
prevent crimes,75
though others have shown low levels of trust in the UK
Government to use their data appropriately.76
2.35. One impact of the leaks in the Snowden Documents in the UK is that they damaged
people’s belief in the safety of their data; with most believing that neither government
nor private companies can now keep their data completely secure.77
But this has not
translated into support for the leaks: in a recent study, only 38% of those polled
believed that “leaks by Julian Assange and Edward Snowden” were justified.78
Is privacy dead?
2.36. Mark Zuckerberg, the founder of Facebook, stated in 2010 that privacy is no longer a
social norm.79
Others have gone further still, declaring it to be dead.80
In the words
of a recent newspaper article:
“We have come to the end of privacy; our private lives, as our grandparents
would have recognised them, have been winnowed away to the realm of the
shameful and the secret. ... Insidiously, through small concessions that
mounted up over time, we have signed away rights and privileges that other
generations fought for, undermining the very cornerstones of our personalities
in the process. While outposts of civilisation fight pyrrhic battles, unplugging
themselves from the web – “going dark” – the rest of us have come to accept
that the majority of our social, financial and even sexual interactions take place
over the internet and that someone, somewhere, whether state, press or
corporation, is watching.”81
73
Amnesty.
74
See TNS-BMRB.
75
Ipsos MORI, PAS.
76
Ipsos MORI: RSS; 13% had high trust in the British Government compared to 46% with low trust.
77
Ipsos MORI: ESRC/ONS.
78
TNS-BMRB. Interestingly, there was a gender bias highlighted by this study, with more men than women
saying that the revelations would do more harm than good.
79
“Privacy no longer a social norm, says Facebook founder”, The Guardian, 11 Jan 2011.
80
E.g. J. Morgan, “Privacy is completely and utterly dead, and we killed it”, Forbes.com, 19 August 2014.
81
A. Preston, “The death of privacy”, The Observer 3 August 2014.
36

CHAPTER 2: PRIVACY
But such colourful defeatism seems largely confined to the commentariat: 82
no one I
have heard from suggested that we have come to the end of privacy, or that routine
“watching” of our communications by the state happens or should be accepted.
2.37. Reports of privacy’s death have therefore been exaggerated. But it may legitimately
be asked whether the way we live online has changed our attitudes to privacy and
whether, if so, there are implications in this for the proper scope of state investigatory
powers.
2.38. It is hard to resist the proposition that notions of privacy have changed in recent years.
Many of us display an unprecedented willingness to share once-private information
with online contacts, service providers and the general public. For example:
(a) We use free email services, despite many of us being aware or suspecting that
the provider makes a profit from using the content of our communications to
direct advertising towards us.
(b) We allow our phones to act as mobile tracking devices, as reliable as any
professional surveillance team, again with increasing awareness that this
information too is liable to be monetised and that it can if necessary be obtained
by the state.
(c) Many of us post intimate observations on Twitter and photographs on apps
such as Instagram, to a potentially infinite number of recipients worldwide.
(d) We accept (generally without reading them) terms and conditions which allow
our data to be used, at the discretion of the service provider, for a bewildering
variety of purposes.
(e) We are becoming increasingly aware of the ease with which we can be
identified or profiled by anyone who chooses to combine different datasets.
(f) By clicking “Accept”, we may even enable our data to be sold to (via a data
broker) or shared with the governments of the UK or of other countries.
In the words of the well-known cryptographer and writer Bruce Schneier, “The bargain
you make, again and again, with various companies is surveillance in exchange for
free service.”83
2.39. But all this does not mean that privacy can no longer be protected, or that attempts to
regulate state power should simply be abandoned. Four observations may be
appropriate here.
2.40. First, the disastrous consequences that can follow from the over-sharing of private
information on social media are becoming more widely known, whether in the form of
cyber fraud, sexual grooming, so-called “slut-shaming” or online bullying. It should
82
Which is itself polarised: see Pew Research Center, “Digital Life in 2025: the Future of Privacy”, (2014),
which sets out the broad views of privacy experts.
83
B. Schneier, Data and Goliath, 2015, chapter 1. See, generally, 8.65-8.104 below.
37

CHAPTER 2: PRIVACY
not be assumed that privacy norms which have moved so rapidly in recent years are
now immutable, or that the direction of travel will not reverse. Indeed, Facebook itself
in December 2014 sent an update to users promoting its new “Privacy Basics” service,
noting that “protecting people’s information and providing meaningful privacy controls
are at the core of everything we do”.84
2.41. Secondly, it is clear that most people do care about their privacy, however defined,
and take steps to preserve it online.85
If those steps are ineffective, consumer
protection law should be doing more to ensure that only informed consent to the
sharing of their data will suffice.86
Moreover, it is false to assume that there is one
standard of privacy that attaches to all electronic communications: people treat
different types of information as entailing different levels of privacy (2.26 above), and
users of various platforms are mindful of the extent and degree to which that
information is available to others.87
2.42. Thirdly, the trend away from privacy is counterbalanced by the spread of encryption.
Companies make a selling point out of assuring their customers that (as in the case
of modern iPhones), not even the provider of the phone will be able to decrypt its
contents.88
2.43. Finally, the distinction between the activities of service providers and those of the
state, though sometimes elusive, is nonetheless real. The state has a duty to protect
its citizens. Pursuant to that duty, it asserts the right to intercept communications or
collect data without consent, and to use that information for the purpose of depriving
persons of their liberty. These powers are asserted, furthermore, even in relation to
people in respect of whom there is no reasonable suspicion that they have committed
any crime.
2.44. Recent changes in privacy norms are not without relevance: they may for example
have a bearing on whether there is a reasonable expectation of privacy in a particular
type of data at a particular time. They do not however amount to any sort of argument
for dispensing with constraints on the government’s collection or use of data. Indeed
as more of our lives are lived online, and as more and more personal information can
be deduced from our electronic footprint, the arguments for strict legal controls on the
power of the state become if anything more compelling.
84
Facebook update, 20 December 2014.
85
See Big Brother Watch/ComRes, Global Attitudes to privacy Online, October 2013 (“BBW/ComRes”).
86
See further 8.85-8.88 below. In the BBW/ComRes survey, 65% of consumers believed that national
regulators should do more to force Google to comply with regulations on online privacy and data
protection.
87
See A. Watts, “A Teenager’s View on Social Media”, 2 January 2015.
88
See the Privacy section on the Apple website: https://www.apple.com/privacy/government-information
requests/.
38

3. THREATS
Introduction
3.1. I am specifically directed by DRIPA 2014 s7 to consider “current and future threats to
the United Kingdom”, of the sort which the capabilities under review could be useful
in addressing. The UK faces a diverse range of security threats, from a wide array of
perpetrators, including terrorism, organised crime, espionage from hostile states and
cyber threats. All of these contribute to a multi-faceted national security threat, to
which the threat from crime adds a further dimension.
3.2. The calibration of response to threat is far from an exact science, not least because
the perceived severity of a threat depends on the fear that it evokes as well as on its
potential for harm. Some harm may be neither tangible nor immediate: for example,
long-term damage to the UK’s economic wellbeing, or a reduction in the UK’s ability
to act globally and achieve its international objectives. Such impacts are harder to
observe and to quantify than violent attacks. They may never come into the public
eye or receive widespread publicity. But without some notion of all these threats, it is
hard to pronounce on the extent to which intrusive powers are needed.
3.3. I received a great deal of evidence from the Government, law enforcement and the
security and intelligence agencies on the threats faced today and likely to be faced in
the future. For the purposes of this short summary, I have grouped them under two
headings: national security threats and crime and public safety. But before turning to
the detail, I make two preliminary points.
The threat in perspective
3.4. No one doubts the gravity of the threats that are faced by the UK and its inhabitants,
or the capacity of those threats both to take life and to diminish its quality.1
But it is
generally a mistake (though a surprisingly common one) to describe threat levels as
“unprecedented”. Two points need to be kept in mind:
(a) Events capable of taking life on a massive scale are a feature of every age and
every stage of development.2
(b) Whilst some of the threats faced at any given time will be realised, others will
not.
3.5. The last point was well made by Jonathan Evans (now Lord Evans of Weardale) in a
public speech as Director of MI5:
“Those of us who are paid to think about the future from a security perspective
tend to conclude that future threats are getting more complex, unpredictable
and alarming. After a long career in [MI5], I have concluded that this is rarely
1
I am grateful to Ray McClure, uncle to Fusilier Lee Rigby, for his thoughtful submission to the Review.
2
The Black Death probably killed at least a third of the population of Europe in the years after 1346. As
to violence, Steven Pinker of Harvard University has warned against “historical myopia”, and claimed
that “nostalgia for a peaceable past is the biggest delusion of all”: The Better Angels of our Nature
(2011), pp. 233, 838.
39

Report Calls for Reform of UK Surveillance Laws

Report Calls for Reform of UK Surveillance Laws

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (11)

Similar to Report Calls for Reform of UK Surveillance Laws

Similar to Report Calls for Reform of UK Surveillance Laws (20)

Report Calls for Reform of UK Surveillance Laws